Risque Managementhttp://blogs.msmvps.com/sp
Just another Microsoft MVPs siteFri, 15 Aug 2014 13:48:12 +0000en-UShourly1http://wordpress.org/?v=4.1.1Reporting new and dormant computer accountshttp://blogs.msmvps.com/sp/2014/01/16/reporting-of-new-and-dormant-computer-accounts/
http://blogs.msmvps.com/sp/2014/01/16/reporting-of-new-and-dormant-computer-accounts/#commentsThu, 16 Jan 2014 23:06:00 +0000/blogs/sp/archive/2014/01/16/reporting-of-new-and-dormant-computer-accounts.aspxContinue reading Reporting new and dormant computer accounts→]]>Colleagues just asked me to list Windows servers that have been just commissioned, and also those that might not have been decommissioned properly. I have multiple sources of information – Active Directory, CMDB, SCCM, monitoring systems (ideally, the numbers in all of those should match). So I have used Powershell to report out of AD. The idea is simple: whenCreated attribute indicates system commissioning date; pwdLastSet is computer password timestamp – and it changes every 30 days, so those older than 90 days ago are probably accounts of computers that no longer exist (or are non-Windows clients that don’t change passwords regularly, or are Windows cluster computer accounts); and operatingSystem attribute can be used to tell servers from workstations. The script is quite self-explanatory and doesn’t require Powershell modules:

As always with Powershell, you can use search results with variety of cmdlets, such as Get-ADComputer or Test-Connection.

]]>http://blogs.msmvps.com/sp/2014/01/16/reporting-of-new-and-dormant-computer-accounts/feed/0What’s the fastest supercomputer in the world?http://blogs.msmvps.com/sp/2011/12/21/what-s-the-fastest-supercomputer-in-the-world/
http://blogs.msmvps.com/sp/2011/12/21/what-s-the-fastest-supercomputer-in-the-world/#commentsWed, 21 Dec 2011 19:41:00 +0000/blogs/sp/archive/2011/12/21/what-s-the-fastest-supercomputer-in-the-world.aspxContinue reading What’s the fastest supercomputer in the world?→]]>It’s probably not what we think it is. Top 500 is the most widely publicised top performing supercomputer list but apparently it’s missing some of the world’s top most computing powerhouses. Here’s what Jeff Wierer, who is currently director of HPC at Microsoft, said in an interview last year:

I don’t think there’s much financial incentive for private sector firms to get visibility on that website.For example, if you’re a large investment bank, the time required to take down that system and run the benchmarks to get into the top 500 is prohibitive, especially in the current economic climate.We have a customer running 32,000 servers in a cluster. Running the benchmark on that would make them number one, but as I said there’s no financial incentive for them to do that.

There’s quite a bit of competition in the HPC space, so Microsoft wouldn’t be the only vendor helping to build amazing number crunchers about which general public has little or no knowledge.

]]>http://blogs.msmvps.com/sp/2011/12/21/what-s-the-fastest-supercomputer-in-the-world/feed/0Offline root CA is an outdated concepthttp://blogs.msmvps.com/sp/2011/07/07/offline-root-ca-is-an-outdated-concept/
http://blogs.msmvps.com/sp/2011/07/07/offline-root-ca-is-an-outdated-concept/#commentsThu, 07 Jul 2011 03:01:00 +0000/blogs/sp/archive/2011/07/07/offline-root-ca-is-an-outdated-concept.aspxContinue reading Offline root CA is an outdated concept→]]>My first experience with PKI was back in 1997. We (Andy Khomenko, currently with Caspio, and I) have been developing a business-to-business e-commerce site. We decided to use client certificates for authentication, as just-released IIS 2.0 on Windows NT 4.0 was supporting them. There was no Microsoft CA back then – so I have written a CGI wrapper around SSLeay (now OpenSSL) that managed client requests, certificate issuance process and kept the relevant logs in Microsoft SQL Server database. Looking back, the whole setup wasn’t very secure – and not only because of the endless vulnerabilities in the technologies that we used. But in the end we had a working product using then-leading edge technologies, and cut our teeth in the e-commerce technology and Internet security.

In early 2000s I have seen transition of internal PKI from a test facility running from a floppy in a guy’s desktop to an enterprise service with countless applications depending on it. At the same time, the certificate authority key migrated from the floppy to HSM, the hardware security module. HSMs are amazing devices: they can require multiple people with smart cards to perform an operation (based on the policy, even basic tasks like signing certificate request or CRL may require multiple custodians present), and can drop keys is the device is shaken or temperature changes. The whole idea is to have private keys stored more securely than anywhere on the commodity hardware and operating systems.

Amazingly, while HSMs prevailed in enterprise environments, design decisions are made as if the CA keys are stored in the Inetpub folder on a Windows NT 4.0 SP1 system. That’s the rationale behind implementation of the offline root CA.

In Deploying and Managing PKI inside Microsoft (a must-read), under MS PKI Security Requirements, Microsoft guys say: “Even though Microsoft internal hierarchy no longer had the previous intermediate CAs, Microsoft IT did not lower any of the existing security controls. The root and the new intermediate CA were offline and never exposed to network traffic, thereby minimizing the chance of a compromise“. But hang on: what is the compromise of CA?

There are two common fault scenarios: issuance of certificates to unintended recipients; and losing ownership of the CA keys. The first scenario is not mitigated by the offline root: you revoke the certificates and possibly review the process. That’s happened with Verisign and other commercial CAs. The second scenario – total loss of the CA keys – is mitigated by the use of HSM. Even if you own the system connected to the HSM, you can’t get the keys out.

One might say – what if you compromise a system that can connect to the HSM and use that as a base to exploit vulnerability in the HSM? That assumes that the infrastructure is already owned by someone else – hardly they will need to spend time running the research project that is finding a vulnerability in HSM. And the trivial solution is keeping the HSM, not the client system, offline.

Technology evolves. Offline root CA is just one of those obsolete ideas that are labeled the “best practice” in hope that there will be no critical analysis.

]]>http://blogs.msmvps.com/sp/2011/07/07/offline-root-ca-is-an-outdated-concept/feed/2IPv6: back to basicshttp://blogs.msmvps.com/sp/2011/06/13/ipv6-back-to-basics/
http://blogs.msmvps.com/sp/2011/06/13/ipv6-back-to-basics/#commentsMon, 13 Jun 2011 01:57:00 +0000/blogs/sp/archive/2011/06/13/ipv6-back-to-basics.aspxContinue reading IPv6: back to basics→]]>Recently I have enabled IPv6 on my home network. My ISP – Internode – supports IPv6 for some time now, and I finally got around to purchase new router with IPv6 support. Most operating systems that I run at home (including Maemo on Nokia N810) support IPv6 too. Fast forward few weeks to the World IPv6 Day – as it happens, I have found a problem with my setup on the day when the whole world makes an effort to prove IPv6 maturity:

C:\Users\spadmin>ping ipv6.google.comPing request could not find host ipv6.google.com. Please check the name and try again.

Pinging 2404:6800:4006:802::1010 from 2001:44b8:78e1:1320:2d10:241c:5668:2f6a with 32 bytes of data:Reply from 2404:6800:4006:802::1010: time=53msReply from 2404:6800:4006:802::1010: time=51msReply from 2404:6800:4006:802::1010: time=52msReply from 2404:6800:4006:802::1010: time=53ms

Evidently the IPv6 protocol stack is left semi-functional. I admit I haven’t spent a lot of time configuring the network but for my home autoconfiguration features of the protocol are sufficient (and I was getting 10/10 scopr in the IPv6 test)

I guess my point is this: the protocols are quite robust but it will take some time to shake down some implementation issues. It’s been four years since I have posted my view on the IPv6 enterprise. I stand by it.

And yes – my home network is on the Internet, without firewalls, gateways or any other masquerade.

UPDATE: Microsoft recognised irreversible IPv6 address deprecation a bug in Windows Vist, 7, Server 2008 and 2008 R2 and will release a hotfix. I have the prerelease code and tested it successfully.

]]>http://blogs.msmvps.com/sp/2011/06/13/ipv6-back-to-basics/feed/0More ping goodnesshttp://blogs.msmvps.com/sp/2011/06/08/more-ping-goodness/
http://blogs.msmvps.com/sp/2011/06/08/more-ping-goodness/#commentsWed, 08 Jun 2011 05:46:00 +0000/blogs/sp/archive/2011/06/08/more-ping-goodness.aspxContinue reading More ping goodness→]]>Strange problems with the corporate WAN? Welcome to my world. I’m a big enthusiast of ICMP diagnostics with ping (see Let there be ping!), and traceroute and pathping as well. One particular issue is quickly identifiable with stock-standard ICMP ping. Look at this output, for example:

Obviously there’s packet loss, not a good sign ever. But the other line is out of ordinary and signifies not just congested link or faulty cable. That’s the line where the return TTL is different from any other TTL. That means that ICMP echo response took different route, not the same as the other 23 packets that were returned. Which, in turn, signifies a problem with WAN routing infrastructure. Although IP, the Internet Protocol, was designed to sustain full scale attack affecting communication lines and changing routes are standard, that shouldn’t occur on a normal day on your corporate network.

There’s one more thing. Check out Smokeping. It’s ping monitor on steroids – something you really need in very dynamic and partially stable environments. And it’s free, as in free beer.

]]>http://blogs.msmvps.com/sp/2011/06/08/more-ping-goodness/feed/0Checking server SSL/TLS certificates – any servicehttp://blogs.msmvps.com/sp/2010/12/20/checking-server-ssl-tls-certificates-any-service/
http://blogs.msmvps.com/sp/2010/12/20/checking-server-ssl-tls-certificates-any-service/#commentsMon, 20 Dec 2010 19:02:00 +0000/blogs/sp/archive/2010/12/20/checking-server-ssl-tls-certificates-any-service.aspxContinue reading Checking server SSL/TLS certificates – any service→]]>With all kinds of services using TLS encryption, and many more using SSL wrappers like stunnel, the usual approach of using a Web browser, or service-specifc client, doesn’t work. This is where OpenSSL comes handy. Its SSL client functionality is great for troubleshooring and discovery:

This allows fast and easy checking of SSL/TLS configuration for all services – HTTP, SIP, IMAP, and anything using SSL wrappers. It would be good to have TLS discovery functionality integrated into a tool like nmap.

A toolset note: Win32 OpenSSL is very handy for Windows administrators.

]]>http://blogs.msmvps.com/sp/2010/12/20/checking-server-ssl-tls-certificates-any-service/feed/0Open source takes on Active Directoryhttp://blogs.msmvps.com/sp/2010/01/30/open-source-takes-on-active-directory/
http://blogs.msmvps.com/sp/2010/01/30/open-source-takes-on-active-directory/#commentsSat, 30 Jan 2010 23:12:00 +0000/blogs/sp/archive/2010/01/30/open-source-takes-on-active-directory.aspxContinue reading Open source takes on Active Directory→]]>Coming out of RedHat ecosystem is FreeIPA, a self-styled integrated security information management solution. IPA stands for Identity, Policy, Audit. Make no mistake – there is no PaidIPA, and FreeIPA is a take on Active Directory, combining the OS, LDAP, Kerberos and integrating Web and certificate services, as well as other infrastructure services into the software stack. Detailed features:

Version 1 will focus on

Allowing an administrator to quickly install, setup, and
administer one or more IPA servers for centralized authentication and
user identity management.

Version 2 will focus on

Adding DNS and Certificate Authority to the IPA core

Allowing an admin to join a machine to an IPA realm

Providing kerberos principal and cert to the joined machine

Providing service keytabs and service certificates to services

Managing the keytabs and certificates once provided

Plug-in architecture for IPA extensibility. freeRADIUS as a first plugin.

I assume there will be an easy way to integrate email and real-time communications system into the IPA.

We have had all of this (bar a mandatory access control system) in Active Directory for a long while now. UNIX and Linux integrate well into AD through Samba and Likewise Open. But integrated authentication and authorisation subsystem designed specifically for Linux was missing. Until now, there were bits and pieces that are hard to integrate. FreeIPA is an attempt to close that gap and create some competition to Active Directory, which is a good thing.

]]>http://blogs.msmvps.com/sp/2010/01/30/open-source-takes-on-active-directory/feed/1When security doesn’t workhttp://blogs.msmvps.com/sp/2009/12/27/when-security-doesn-t-work/
http://blogs.msmvps.com/sp/2009/12/27/when-security-doesn-t-work/#commentsSun, 27 Dec 2009 22:02:00 +0000/blogs/sp/archive/2009/12/27/when-security-doesn-t-work.aspxContinue reading When security doesn’t work→]]>A few days back, a hater named Umar Farouk Abdulmutallab tried to explode an airplane and kill 289 people aboard and maybe more on the ground. He was stopped by another passenger, Jasper Schuringa, a Dutch movie maker.

Air Canada said in a
statement that new rules imposed by the Transportation Security
Administration limit on-board activities by passengers and crew in U.S.
airspace. The airline said that during the final hour of flight
passengers must remain seated. They won’t be allowed access to carryon
baggage or to have any items on their laps.

Flight
attendants on some domestic flights are informing passengers of similar
rules. Passengers on a flight from New York to Tampa Saturday morning
were also told they must remain in their seats and couldn’t have items
in their laps, including laptops and pillows.

Note this: if the rules were already in place and the passengers strictly followed those, Mr. Schuringa wouldn’t be able to subdue the terrorist: he had to leap over few seat rows to do that. Apparently, it’s no longer allowed. It doesn’t matter that explosives and flammable liquids were not allowed on the plane in the first place, and the TSA failed to enforce them. They issue a new ruling that doesn’t make sense (last hour, huh?) and is almost impossible to enforce. Reminds me of the TSA requirement not to congregate on a plane headed for the United States.

This is not security, this is damage control. Happens too often in the government, and in the corporate world as well.

Doing your job is hard but not impossible: analyse why security measures failed, and correct the problem. If the measures are wrong, try something new. Like, in case of transportation security, sedating all passengers.

It is okay to acknowledge your errors. But it is a definition of waste not to, and keep doing same. Take information security. Firewalls don’t work? Implement more firewalls. Intrusion detection systems don’t detect intrusions? Rename them intrusion prevention systems, and spend some more. Sounds familiar?

option explicit‘‘ DiskPerfStats.vbs‘‘ This script uses the SQLIO.exe utility to do a basic check‘ of disk performance for all local disks.‘‘ This script must be in the same folder as SQLIO.exe.‘‘ Takes one (optional) parameter, which is the number of seconds that‘ each SQLIO.exe test will run for, defaulting to 5.‘‘ – Geoff Baxter‘ 24/07/2008‘‘

‘———————————————————————-‘ Verify that SQLIO.exe exists in the current folder‘

if not fso.FileExists (strSQLIOExe) then wscript.echo “ERROR: ” & strSQLIOExe & ” not found in current folder.” wscript.echo “” wscript.quit(1)end if

‘———————————————————————-‘ Get (optional) parameter & verify‘

If wscript.Arguments.count = 0 Then TestDuration = 5else TestDuration = wscript.Arguments(0) if not isnumeric(TestDuration) then wscript.echo “ERROR: Parameter 1 (test duration) of ‘” & TestDuration & “‘ is invalid.” wscript.echo ” This must be an integer, specifying the number of seconds each “ wscript.echo ” SQLIO.exe test should run.” wscript.echo “” wscript.quit(1) end ifend if

Check out other systems and results – some interesting information there.

It is a good idea to check the performance before and after changing the system parameters. You don’t need to purchase SPEC tests to do that – there are free tools available. Stay tuned for some details, or search away (if your OS of choice is Windows, use “sqlio” as the search criteria).